systemprompt_security/
error.rs1use thiserror::Error;
13
14#[derive(Debug, Error)]
15pub enum AuthError {
16 #[error("missing authorization header")]
17 MissingAuthorization,
18
19 #[error("invalid JWT token: {0}")]
20 InvalidToken(#[source] jsonwebtoken::errors::Error),
21
22 #[error("missing session_id in token")]
23 MissingSessionId,
24
25 #[error("hook token: missing or non-`hook` audience")]
26 HookAudienceMissing,
27
28 #[error("hook token: required scope `{0}` not present")]
29 HookScopeMissing(&'static str),
30
31 #[error("hook token: missing `plugin_id` claim")]
32 HookPluginIdMissing,
33
34 #[error(
35 "hook token: plugin_id `{actual}` in claim does not match request plugin_id `{expected}`"
36 )]
37 HookPluginIdMismatch { expected: String, actual: String },
38
39 #[error("token has unsupported algorithm `{got}`; only RS256 is accepted")]
40 UnsupportedAlgorithm { got: String },
41
42 #[error("audience policy is empty; token decoding requires at least one expected audience")]
43 EmptyAudiencePolicy,
44
45 #[error("token is missing `kid` header")]
46 MissingKid,
47
48 #[error("token `kid` `{0}` does not match any known signing key")]
49 UnknownKid(String),
50
51 #[error("signing key lookup failed: {0}")]
52 KeyLookup(String),
53
54 #[error("issuer `{0}` is not trusted")]
55 UntrustedIssuer(String),
56
57 #[error("JWKS fetch failed for issuer `{issuer}`: {source}")]
58 JwksFetch {
59 issuer: String,
60 #[source]
61 source: crate::keys::JwksClientError,
62 },
63
64 #[error("token `act` delegation chain exceeds maximum depth of {max} (got {depth})")]
65 ActChainTooDeep { depth: usize, max: usize },
66
67 #[error("token is missing the `scope` claim")]
68 MissingScope,
69
70 #[error("token `user_type` claim `{claimed}` does not match permissions (derived `{derived}`)")]
71 UserTypeMismatch {
72 claimed: systemprompt_models::auth::UserType,
73 derived: systemprompt_models::auth::UserType,
74 },
75}
76
77#[derive(Debug, Error)]
78pub enum JwtError {
79 #[error("jwt encoding failed: {0}")]
80 Encoding(#[from] jsonwebtoken::errors::Error),
81
82 #[error("jwt signing key unavailable: {0}")]
83 Signing(String),
84}
85
86#[derive(Debug, Error)]
87pub enum ManifestSigningError {
88 #[error("manifest signing seed unavailable: {0}")]
89 SeedUnavailable(String),
90
91 #[error("jcs canonicalize: {0}")]
92 Canonicalize(String),
93
94 #[error("signing key missing after initialization")]
95 KeyMissing,
96}
97
98pub type AuthResult<T> = Result<T, AuthError>;
99
100pub type JwtResult<T> = Result<T, JwtError>;
101
102pub type ManifestSigningResult<T> = Result<T, ManifestSigningError>;